Blocking the access to the device files.

[fs.rajat@gmail.com (Rajat Sharma)]

Henry is right, nodev is the option for you, it passes down MS_NODEV
flag to kernel which in turn sets MNT_NODEV flag in mount object,
which open system call checks and return -EACCES if device it is a
device node, snippet from linux/fs/namei.c:

case S_IFBLK:
case S_IFCHR:
                if (path->mnt->mnt_flags & MNT_NODEV)
                        return -EACCES;

The case which Greg was mentioning, I think that is solved through
exclusive open call to block device in exclusive mode with
open_bdev_exclusive. This allows only one opener of block device at a
time, i.e. Filesystem is the exclusive opener of block device which
mounting the block device, e.g.

ext2_get_sb() -> get_sb_bdev() -> open_bdev_exclusive();

Rajat

On Thu, Dec 30, 2010 at 5:54 AM, Henry Gebhardt
<hsggebhardt@googlemail.com> wrote:
> On Wed, Dec 29, 2010 at 11:32:18PM +0000, Prasad Joshi wrote:
>> On Wed, Dec 29, 2010 at 4:12 PM, Mulyadi Santosa
>> <mulyadi.santosa@gmail.com> wrote:
>> > On Wed, Dec 29, 2010 at 20:06, Prasad Joshi <prasadjoshi124@gmail.com> wrote:
>> >> Hello All,
>> >>
>> >> ZFS file system has a property called devices. If turned off, ZFS
>> >> would not allow access to the device files (block/character) present
>> >> on the file system. I want to implement the same behavior on the a
>> >> Linux File System.
>> >
>> > I don't know about ZFS, so could you please elaborate on what you mean
>> > by "ZFS could disallow access"?
>>
>> I am really sorry that I was not clear with the first mail. Thanks a
>> lot for all mail replies and for sharing important information.
>> By not disallowing access to device files I ment
>>
>> root at prasad-laptop:~# mount disk -o loop arm/
>>
>> root at prasad-laptop:~/arm# mount -t ext3
>> /dev/loop0 on /home/prasad/arm type ext3 (rw)
>>
>> ############# CREATING A DEVICE FILE ON THE FILE SYSTEM
>> root at prasad-laptop:~/arm# mknod zero c 1 5
>>
>> root at prasad-laptop:~/arm# ls
>> lost+found ?zero
>>
>> root at prasad-laptop:~/arm# ls -l
>> total 12
>> drwx------ 2 root root 12288 2010-12-23 11:28 lost+found
>> crw-r--r-- 1 root root ?1, 5 2010-12-23 11:28 zero
>>
>> root at prasad-laptop:~/arm# dd if=zero of=disk bs=10K count=10K
>> dd: writing `disk': No space left on device
>> 9313+0 records in
>> 9312+0 records out
>> 95354880 bytes (95 MB) copied, 1.00106 s, 95.3 MB/s
>>
>> root at prasad-laptop:~/arm# ls -l
>> total 93499
>> -rw-r--r-- 1 root root 95354880 2010-12-23 11:28 disk
>> drwx------ 2 root root ? ?12288 2010-12-23 11:28 lost+found
>> crw-r--r-- 1 root root ? ? 1, 5 2010-12-23 11:28 zero
>>
>> Here the file system allowed access to the device file named zero. The
>> requirement is to turn off the access to all of the device files
>> present on the mounted file system. ie. considering the above case
>> access (open/read/write) to/from device zero should not be allowed
>> (even by root user). I don't know why would one create a device file
>> on a file system other than /dev.
>>
>> I could modify the open code to check if the file the file being
>> opened is device file then return either EPERM or EACCESS (not sure
>> which one). But before modifying the code I thought of checking mount
>> flags, could not find one, hence thought of asking on mailing list.
>>
>> Thanks a lot for wonderful replies and sharing valuable information.
>> Hope the example above has made the requirement clear.
>>
>
> Maybe I, too, am completely misunderstanding you, but does the nodev
> option do what you want? ?From the mount manpage:
>
> ? ?nodev - Do not interpret character or block special devices on the
> ? ?file system.
>
> Use like so:
>
> ? ?$ mount disk -o loop,nodev arm/
>
> You can still create device special files, you just can't access them.
>
> Greetings,
> Henry
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>